News Mobile Security
Black Hat: Hacking iOS Applications Under The Spotlight
Security researcher Jonathan Zdziarski will demonstrate some of the techniques cybercrooks use in the wild, and what developers can do about them
Much has been written about malware targeting Google Android devices. But at this year's Black Hat USA in Las Vegas, a number of researchers will be poking around Apple’s iOS mobile operating system in the name of security.
|Click here for more of Dark Reading's Black Hat articles.|
More Security Insights
- The Power of Cloud: Driving Business Model Innovation
- Digital Transformation: Creating new business models where digital meets physical
- Strategy: How Cybercriminals Choose Their Targets and Tactics
- Strategy: Cybersecurity on the Offense
- Mobile DevOps: Achieving continuous delivery with multiple front ends and complex backends in Banking, Financial Services, and Insurance
- How Cloud Facilitates an Agile Contact Center
Among those researchers is Jonathan Zdziarski, senior forensic scientist at the Chicago-area security firm viaForensics. In his talk, titled "The Dark Art of iOS Application Hacking," he plans to go inside how modern financial applications, password and credit card managers, and other apps handling sensitive data can be attacked on the iOS platform.
"Apple has invested a lot of work to try and protect data at rest," he says. "Hardware-accelerated AES encryption has allowed Apple to implement an encrypted file system, which helps to protect a user's personal data at rest, as well as to help prevent deleted files from being recovered months later. The file system encryption has its flaws, but overall has helped to improve the security on what was previously a wide open disk. At one point, Apple's own refurbishing process even failed and released private customer data that could later be recovered from the device after its resale. Apple has done a much better job as of late to ensure proper data erasure."
The addition of address space layout randomization (ASRL) has also improved security, he adds. However, Apple’s approach to iOS also has holes that savvy attackers can sneak through. Rather than a talk about a zero-day bug Apple will likely patch the next day, Zdziarski says his discussion will focus on vulnerabilities in the design of the framework Apple and App store developers build their apps with -- in particular, Objective-C runtime.
"Old-school hacking used to require targeting a specific application and even sometimes a specific version of a specific application," Zdziarski explains. "By abusing Apple's own monoculture, however, an attacker can instead attack every application at once.
"I'll demonstrate how one small bit of code can be used to infect a number of financial applications installed on a device, steal data that would otherwise be SSL-encrypted, and upload user credentials and financial data to an off-site server belonging to an attacker," he says. "In addition to this, I'll demonstrate how Apple's file system encryption, with its many known flaws, can be compromised by uploading a Trojan to the device that will wait for the data to become unlocked by the device's user, and then copy/steal it in a similar fashion."
By abusing the runtime, attackers can break many of the security mechanisms written into applications and potentially steal data, he adds, targeting Apple’s foundation interfaces for developers to create an automated, widespread attack that could infect and steal data from every application running on a device.
"The developers I've worked with all appear to lack knowledge of just how easily the runtime can be manipulated," he says. "Once made aware, they are less likely to skirt around relying on the application's runtime for security and rely more on strong encryption. This is one of the best ways developers can protect their data; however, even this isn't a guarantee. I'll demonstrate some techniques from my book, "Hacking and Securing iOS Applications," that developers can use to help identify whether their application has been infected with a Trojan, or is being attacked as well."
Zdziarski's talk is scheduled for July 26.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.